India is expected to announce in the coming months the formation of a cyber defense agency that would focus on protecting critical infrastructure, especially government and defense networks, from cyberattacks, according to news reports. But a formal announcement has yet to be made by the government.

Sources privy to the development tell Information Security Media Group that the agency will be working in close coordination with the national cybersecurity adviser. It will also have 1,000 personnel who will be distributed to various formations of the Army, Navy and Indian Air Force, or IAF, sources say.

The cyber agency will be based out of Delhi for close coordination with civilian counterparts, sources tell ISMG.

“This has been long overdue,” says A.V. Rajabahadur, an industrial automation consultant. “The government should have formed the agency long ago when cyberattacks on India’s critical infrastructure were first discovered back in 2010. All these years it has been sitting ducks.”

Another security expert, who requested anonymity, notes: “The idea has been doing the rounds even before the current government came to power. The ministries have been dilly-dallying over it. I can only hope this time some concrete steps are taken.”

What Led to This

In 2012, the Chiefs of Staff Committee had recommended creation of three joint commands in the areas of cyber, space and special operations due to their relevance in modern warfare, especially after Estonia in 2007 faced a massive cyberattack, which led to the collapse of its power sector, banks and other critical infrastructures. However, none of the joint commands have been formed yet.

In 2010, India was hit hard by the computer worm Stuxnet. Among those targeted were critical infrastructure facilities, including the Gujarat and Haryana electricity boards and an offshore oil rig of petroleum explorer ONGC, according to news reports.

“The agency will be given the task to protect country’s defense and government network, which come under critical infrastructure,” says Felix Mohan, founder of CISO Cybersecurity, a cybersecurity consultancy firm. “Until now, we have lacked an integrated body to tackle attacks which happen on defense and government networks. Most governments in the world have this.”

India already has in place the National Critical Information Infrastructure Protection Centre, or NCIIPC, which also looks to protect the country’s critical infrastructure from cyberattacks. NCIIPC was formed by the government in 2014.

“The role of NCIIPC is more defensive and it’s all about bringing the private players in telecom, power and other critical sectors to come together to protect an attack,” Mohan says. “The mindset is more defensive than offensive. The NCIIPC isn’t responsible for government and defense networks. They are more into civilian critical infrastructure.”

Some security experts say it’s urgent for India to get into an offensive mode to tackle cyberattacks from neighboring countries.

“India until now has practiced the defensive strategy in cyber and needs to move to offensive strategy and build capability and capacity in offensive cybersecurity posture. I think the new agency is aimed at this,” says C.N. Shashidhar, founder and CEO at SecureIT Consultancy Services, a security audit company.

Priority Steps

Some security experts suggest that the new agency should be created as a unified cyber command directing all cyber offensive and defensive capabilities of the government.

“This will inevitably involve turf wars, as around 50 different agencies are handling cyber issues now,” Shashidhar says. “But a strong political will and clear roadmap should be put in place to achieve a unified cyber command.”

Another security expert, who asked not to be named, contends the new agency should help India shift toward relying more on locally developed networking equipment, SCADA system software and hardware, and other cybersecurity products and services. “Only then will it make sense to have a cyber defense agency,” the expert claims. “If we continue to use foreign technology, we will fight a lost battle.”

Shashidhar says the new agency should be staffed with personnel from the Army, Navy and Air Force as well as specialists in cryptography and cybersecurity. That way, it could conduct continuous research in cryptography.